Introduction

Designed for the enterprise, Silo’s implementation of SAML SSO allows for PIN-less access with federated authentication through your preferred Identity Provider (IdP).


All Silo authentication steps are seamless and transparent to the end-user when employing SAML SSO functionality.


Technical Details

Silo will work with any SAML 2.0 SSO implementation with a few exceptions. 


SSO compatibility has been verified with the following IdPs:

  • Azure Active Directory
  • Duo
  • F5 BIG-IP
  • Microsoft AD FS
  • Okta
  • OneLogin
  • PingIdentity
  • SecureAuth
  • GSuite
  • Google SSO


System Requirements

A working, compatible SAML 2.0 IdP

  • Silo Access Portal must be enabled.
  • For Windows installs, the enabling of Integrated Windows Authentication (IWA) is optional.
  • TLS 1.2 connection

NOTE: Effective March 30 2020, our products will only support TLS 1.2 connections, and will cease support for TLS 1.1. For the Installed Client, please ensure their version meets/exceeds the minimum required to support TLS 1.2, and that any in-line network infrastructure that connects to our servers has been configured to use TLS 1.2.


Configuration

If you are already familiar with providing Single-Sign-On (SSO) access to other services, then the configuration should be straightforward.


We recommend reviewing your SAML IdP's documentation on Service Provider (SP) configuration prior to starting as a first step. This step should include locating your IdP's configuration URL values and X.509 (.crt) IdP Signing Certificate to help streamline the process.


Silo Portal Configuration

The Silo Portal configuration step consists of setting the Silo Access Portal (Vanity) URL; the Vanity URL must be set with in order for the SAML SSO configuration to work.

This will serve as a custom URL for SSO access to Silo


Steps

From the Silo Admin Console, navigate to Users and Orgs section:


A. Click the Manage button

B. Select your ORG and click the Edit Orgs button

C. Enter a value in the Vanity URL field

D. Click Save



Silo Single Sign-On Configuration


A. From the Silo Admin Console navigate to the Single Sign-On configuration page.




 

B. Enable SAML SSO and click Save




IdP Configuration Steps

A. Copy and paste the displayed SP URLs to update your IdP.
B. Download and install your X.509 .crt encryption certificate to your IdP.

NOTES: 
  • Please see your IdP's documentation for specific instructions with entering the required SP URLs. 
  • Authentic8 may have additional configuration support for other IdPs, which can be requested by contacting Support.


ldP Cheat Sheets




Silo (SP) Configuration Steps


A. From your IdP, obtain the required URLs

B. Update Silo (SP) with the URLs

C. Upload your X.509 .crt IdP signing certificate from your IdP



D. Click Save

E. The final step in configuring SAML is modifying the Installed Client with the proper registry settings



Windows Registry

Here are the required Windows Registry entries.

Please note that the FEATURE_BROWSER_EMULATION value is 2710 Hexadecimal not
 Decimal. The decimal value 10000.





Note: Silo Access Portal (Vanity) URL is required to set IEWebViewURL. 



IEWebViewMode Settings 
When making the SAML registry changes the IEWebViewMode setting needs to be set to the appropriate value.


Value
Authentication Method
0Standard login (e.g., Pin or Differed Pin)
1A combined standard login and SAML option for testing.
2SAML


macOS plist Configuration

A. Open Terminal


B. If necessary, cd to /Users/<username>/Library/Preferences/ for com.authentic8.launcher.plist


C. Enter command as one continuous line:

defaults write com.authentic8.launcher WebViewUrl https://getsilo.com/sso/saml/client/<vanity_url_value>


D. Enter command: defaults write com.authentic8.launcher WebViewMode <1 or 2>


Examples:
Enter a value of [1] to display an optional [Use SSO] button

defaults write com.authentic8.launcher WebViewMode 1


Enter a value of [2] to enforce SSO authentication only

defaults write com.authentic8.launcher WebViewMode 2


E. To confirm the plist values, enter command: 

defaults read com.authentic8.launcher | grep -i WebView


Optional: Integrated Windows Authentication (IWA) Settings

Configure your Internet Options to allow secure communication between our client and your internal SSO server.


Here are the steps:

  1. Control Panel

  2. Internet Options
  3. Security
  4. Local intranet
  5. Sites
  6. Advanced
  7. Type https://yourserver.yourdomain.com then click Add



Additional Notes  

Please contact Support if you have any additional questions and/or require further information.